1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to detection and prevention of computer virus-related epidemics.
2. Description of the Related Art
Detection of viruses and malware has been a concern throughout the era of the personal computer. With the growth of communication networks such as the Internet and increasing interchange of data, including the rapid growth in the use of e-mail for communications, infection of computers and networks through communications or file exchanges is an increasingly significant consideration. Infections take various forms, but are mostly related to computer viruses Trojan programs, or other forms of malicious code (i.e., malware).
Recent incidents of e-mail mediated virus attacks have been dramatic in terms of speed of propagation and for the extent of damage, with Internet service providers (ISPs) and companies suffering service problems and a loss of e-mail and networking capability. In many instances, attempts to adequately prevent file exchange or e-mail mediated infections significantly inconvenience computer users and improved strategies for detecting and dealing with massive virus attacks that transform into epidemics are desirable.
A conventional approach to detecting viruses is signature scanning. Signature scanning systems use sample code patterns extracted from known malware code and scan for the occurrence of these patterns in another program code. A primary limitation of the signature scanning method is that only known malicious code is detected, that is, only code that matches the stored sample signatures of known malicious code is identified as infected. All viruses or malicious code not previously identified, and all viruses or malicious code created after the last update of the signature database will not be detected.
In addition, the signature analysis technique fails to identify a virus if the signature is not aligned in the code in the expected fashion. Alternatively, the authors of a virus may obscure the identity of the virus by opcode substitution or by inserting dummy or random code into the virus functions. Nonsense code can alter the signature of the virus to a sufficient extent as to be undetectable by a signature scanning program, without diminishing the ability of the virus to propagate and deliver its payload.
Another virus detection strategy is integrity checking. Integrity checking systems extract a code sample from known benign application program code. The code sample is stored together with the information from the program file, such as the executable program header and the file length, as well as the date and the time stamp of the sample. The program file is checked at regular intervals against this database to check that the program file has not been modified.
A conventional approach uses so-called white lists i.e., the lists of known “clean” software components, links, libraries and other clean objects. In order to compare a suspect object against the white list, hash values can be used. The use of hashes is disclosed, for example, in WO/2007066333 where the white list consists of hashes of known clean applications. In WO/2007066333, checksums are calculated and compared against the known checksums.
However, detection of a virus in a computer system is only one part of the task. It is far more important to detect a potential for an epidemic that can infect hundreds and thousands of computers within numerous networks. In US Patent Publication No. 20080134335, a method for determining a potential spread of a detected virus is disclosed. However, it happens after the virus hasstarted to spread and does not prevent an epidemic.
In US Patent Publication No. 20060259967 and US Patent Publication No. 20060236392 a method for detecting malware based on a level of activity of some events is disclosed. Once an activity threshold is reached, security measures are applied. U.S. Pat. No. 7,418,732 discloses a method for processing network packets in order to prevent from spreading malware within the network. In US Patent Publication No. 20090064332, a method for detecting a source of malware threat and determining the level of a potential hazard is disclosed. Also, in US Patent Publication No. 20060070130, a method for determining a source of malware once the malware is detected is disclosed.
However, conventional systems do not provide an efficient detection and prevention of epidemics when a massive number of computer systems and entire networks get infected very fast.
It is apparent that improved techniques for detection and prevention of computer virus-related epidemics are desired. Accordingly, there is a need in the art for a system and method that addresses the need for detecting and predicting the epidemics.